Remove separate galera.ssl state
This patch removes separate state galera.ssl as it was previously
wrongly introduced. Instead include ssl tasks to master/slave when
ssl is enabled.
This fixes missing requirements when applying separate states.
Ensure that mysql package is installed before changing group
ownership for ssl files to mysql, as group will be added by mysql
packages.
Fix ssl inital configuration. SSL settings are not applied during
service reload, we have to add them during initial galera cluster
start.
Change-Id: Iff9a268000c3e5e722cc6e197cfd223ec1015f73
Related-Prod: PROD-16695
diff --git a/galera/ssl.sls b/galera/_ssl.sls
similarity index 82%
rename from galera/ssl.sls
rename to galera/_ssl.sls
index f13fe5a..2daf44a 100644
--- a/galera/ssl.sls
+++ b/galera/_ssl.sls
@@ -1,7 +1,9 @@
{%- from "galera/map.jinja" import master, slave with context %}
-
-{%- set service = master if pillar.galera.master is defined else slave %}
-{%- set role = 'master' if pillar.galera.master is defined else 'slave' %}
+{%- if master.get('enabled', False) %}
+ {%- set service, role = master, 'master' %}
+{%- elif slave.get('enabled', False) %}
+ {%- set service, role = slave, 'slave' %}
+{%- endif %}
{%- if service.get('ssl', {}).get('enabled', False) %}
{%- if service.ssl.cacert_chain is defined %}
@@ -13,6 +15,7 @@
- makedirs: true
- require_in:
- service: galera_service
+ - file: galera_config
{%- else %}
mysql_cacertificate_exists:
file.exists:
@@ -26,6 +29,7 @@
- file: mysql_cacertificate_exists
- require_in:
- service: galera_service
+ - file: galera_config
{%- endif %}
{%- if service.ssl.cert is defined %}
@@ -37,6 +41,7 @@
- makedirs: true
- require_in:
- service: galera_service
+ - file: galera_config
{%- else %}
mysql_certificate_exists:
file.exists:
@@ -50,6 +55,7 @@
- file: mysql_certificate_exists
- require_in:
- service: galera_service
+ - file: galera_config
{%- endif %}
{%- if service.ssl.key is defined %}
@@ -61,8 +67,11 @@
- group: mysql
- mode: 0440
- makedirs: true
+ - require:
+ - pkg: galera_packages
- require_in:
- service: galera_service
+ - file: galera_config
{%- else %}
mysql_server_key_exists:
file.exists:
@@ -76,8 +85,10 @@
- create: False
- require:
- file: mysql_server_key_exists
+ - pkg: galera_packages
- require_in:
- service: galera_service
+ - file: galera_config
{%- endif %}
{%- endif %}
diff --git a/galera/files/my.cnf.init b/galera/files/my.cnf.init
index 9b0a0c1..a5ea26d 100644
--- a/galera/files/my.cnf.init
+++ b/galera/files/my.cnf.init
@@ -58,6 +58,13 @@
wsrep_provider_options="gcache.size = 256M"
wsrep_provider_options="gmcast.listen_addr = tcp://{{ service.bind.address }}:4567"
+{% if service.get('ssl', {}).get('enabled', False) %}
+wsrep_provider_options="socket.ssl=yes;socket.ssl_key={{ service.ssl.key_file }};socket.ssl_cert={{ service.ssl.cert_file }};socket.ssl_ca={{ service.ssl.ca_file }}"
+ssl-ca={{ service.ssl.ca_file }}
+ssl-cert={{ service.ssl.cert_file }}
+ssl-key={{ service.ssl.key_file }}
+{% endif %}
+
[xtrabackup]
parallel=4
diff --git a/galera/init.sls b/galera/init.sls
index 9944b4c..bc55f36 100644
--- a/galera/init.sls
+++ b/galera/init.sls
@@ -1,7 +1,6 @@
{%- if pillar.galera is defined %}
include:
-- galera.ssl
{%- if pillar.galera.master is defined %}
- galera.master
{%- endif %}
diff --git a/galera/master.sls b/galera/master.sls
index 274f983..28c211e 100644
--- a/galera/master.sls
+++ b/galera/master.sls
@@ -1,6 +1,11 @@
{%- from "galera/map.jinja" import master with context %}
{%- if master.get('enabled', False) %}
+{%- if master.get('ssl', {}).get('enabled', False) %}
+include:
+ - galera._ssl
+{%- endif %}
+
{%- if grains.os_family == 'RedHat' %}
xtrabackup_repo:
pkg.installed:
diff --git a/galera/slave.sls b/galera/slave.sls
index 290d371..92bf324 100644
--- a/galera/slave.sls
+++ b/galera/slave.sls
@@ -1,6 +1,11 @@
{%- from "galera/map.jinja" import slave with context %}
{%- if slave.get('enabled', False) %}
+{%- if slave.get('ssl', {}).get('enabled', False) %}
+include:
+ - galera._ssl
+{%- endif %}
+
{%- if grains.os_family == 'RedHat' %}
xtrabackup_repo:
pkg.installed: